Security

This section documents the security measures implemented in SaaS-Courier.

Contents

• OWASP Top 10 - Security controls for OWASP Top 10 risks
• Rate Limiting - Endpoint rate limits by pricing tier
• Token Management - JWT and refresh token handling

---

Security Architecture

Backend Security

• Authentication: JWT with 15-minute access tokens, 7-day refresh tokens
• Password Hashing: bcrypt with automatic salt
• Database: PostgreSQL with Row Level Security (RLS)
• API Versioning: URL-based versioning (/api/v1/, /api/v2/)
• Input Validation: Pydantic schemas at presentation layer

Frontend Security

• Token Encryption: Fernet/AES encryption for tokens in SharedPreferences
• HTTPS Enforcement: Blocks HTTP requests in production
• Rate Limiting: Client-side rate limiting for public tracking (30 req/min)
• Input Validation: Client-side sanitization and validation
• IP Blocklist: Automatic block after 50 failed attempts

---

Environment Security

# Session & Token Security
SESSION_TIMEOUT_MINUTES=15
REFRESH_BEFORE_EXPIRY_MINUTES=2
ENCRYPT_TOKENS=true
REQUIRE_HTTPS_IN_PRODUCTION=true